Video: 10 key strategies for disaster preparedness and increased IT security
A vulnerability in Google Apps Script could have allowed attackers to use Google Drive as a means of discreetly delivering malware to unsuspecting victims.
Uncovered by Proofpoint, threat actors exploiting this vulnerability could use it to drop any form of malware on a machine -- although such attacks have yet to be observed in the wild.
Researchers found that that Google Apps Script and the document-sharing capabilities within Google supported automatic malware downloads and the ability to socially engineer the victims into executing the malicious file once delivered. They also discovered that it was possible to trigger this type of attack without any input from the end user.
Ultimately, the vulnerability allows attacks to use legitimate Google Drive invitation lures combined with the ability to distribute malware stored on Google Drive.
The attack "demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years," said Maor Bin, threat systems products research lead at Proofpoint.
As part of ongoing research into the capability of third-party applications, it was discovered that a Google Doc could be used to host a Google Apps Script for delivering malware.
Attackers regularly use software like Google Docs and Google Drive to host malware, but social engineering is required to trick users into downloading the payload. In this instance, the user receives a legitimate link to edit a Google Doc, but self-propagation enables the malware to run with the victim being none the wiser that anything has happened. It's just the latest example of attackers exploiting legitimate software for malicious means.
"New capabilities like Google Apps Script are creating considerable opportunities for threat actors who can leverage newfound vulnerabilities or use "good for bad" - making use of legitimate features for malicious purposes," said Bin.
Users should therefore be wary of clicking unexpected links, especially from unknown senders.
Google has implemented fixes to prevent App Scripts from being abused, blocking installable triggers -- customizable events that cause certain events to occur automatically and simple triggers from opening things in a different user session.
"We appreciate Proofpoint's contributions and have rolled out changes to address this potential vulnerability. We continuously work to stay ahead of potential threats," a Google spokesperson told ZDNet.
Download now: Incident response policy (Tech Pro Research)
However, Proofpoint warns that this won't stop attackers, who will continue in their efforts to exploit SaaS applications, especially as they become more mainstream.
"Organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat," said Bin.
Hackers have been known to use Google App Scripts to send and receive commands in order to deliver Carbinak malware.
It's about to get really difficult to accidentally fall for a phishing attack.
Malware authors cash in on Android users through SMS fraud and unwanted online subscriptions.
- Fake Google Docs phishing deluge hits Gmail
- Get ready for more hacks in 2018 [CNET]
- Gmail Docs phishing attack: Google targets devs with tighter web app ID checks
- Phishing attacks, not breaches, represent the biggest security risk for Google users [TechRepublic]
- Google bolsters security to prevent another Google Docs phishing attack